This Article describe How Developer unintentionally Expose the Sensitive Data / Information leakage and How to prevent it.

Introduction

This is Part 4 of my series Hack proof your asp.net application.In this article ,I will describe How we sometimes unintentionally expose some sensitive information or leak some information to a hacker , who used that information to hack us. Keeping These terms separate "Sensitive Data exposure" which can directly harm to an individual or an organization, "Information leakage" are which helps attacker to perform malicious activities.Both terms are correlated and we can say Information leakage can contain Sensitive data exposure and vice versa.

Sensitive Data Exposure:

First thing you need to find out what is "Sensitive Data" for your business.What are your business "terms and conditions" or what are your "policies" or what offerings you are providing to your consumer or customer. Sensitive Data are which can directly harm an individual or an organization.

Sensitive Data includes password , credit card , personal information and may include email depends on the business policy of different website.

Impact of Sensitive Data Exposure :

Sensitive Data may exposed accidentally(application error or application bug) and maliciously done by any hacker.

Multiple points where sensitive data may exposed by an ASP.NET application :

As we can see in above image there is no palace which is safe , an attacker can try to get sensitive data from victim(client) machine , victim browser (cache) , server's config , log and temp file ,database (using SQL injection or from config file).

How to prevent from Sensitive Data Exposure:

Sensitive Data can be exposed Internally and externally.

To prevent insider attack you need to control who gain access to your application and data backup,

To prevent Outsider attack you need to encrypt all the "Sensitive Data" on the network,

6. Do not store sensitive data unnecessary (Like Many Online payment gateway do , they do not store credit card details they just pass it and forget it) , if you want to store such details then they must me PCI/DSS compliance .Including some

Protect stored cardholder data

Encrypt transmission of cardholder data across open, public networks.

Encrypt of config file is it really necessary in asp.net? Nowadays i thought no because IIS7 does not allow to directly access config file from url. IIS7 restricted it by default , they filter every request from <requestfiltering> , learn more about it (Request Filtering) .However if a web server has been compromised allowing remote access to the server itself, then having an encrypted web.config file will be the least of your worries :P .

Information leakage :

Revealing System data or debugging information helps an attacker to learn about the system and form a plan of attack accordingly.Information leakage is not direct attack, its just help an attacker to gather information about system which helps him to do any another attack.

What Can an attacker gathers ?

Software versions(so attacker can try to find the vulnerabilities of that particular version)

System Types(SQL server, IIS, MySQL etc.. )

Login ID and Email address (Now attacker just have to find your password)

Tracing and debugging information

How an attacker gathers Information ?

An attacker behaves likes an detective who collects all the information about the victim.There are some of ways how they do it :

1. Search Engines : Search engine index information about every website and attacker do take benefit from that.

Your application framework version (Helps attacker to form attack according to framework vulnerability)

Virtual directory path

2. Find organization documents

site:www.[domain_name].com .xls .doc .ppt //Precede your query with site: if you know you want your answer from a specific site or type of site

3. Forcing errors to see detail :
Attacker try to cause error in any application(Asp.net) ,and gathers information about their version. In worst cases they do gather connection-string , credentials etc..

Attacker can pass length which is not handled in the code (can pass length of query string which exceed max length of INT32 variable).Following details may exposed from by causing an error :

Connection string is exposed by causing an error into any asp.net application (This is the worst case, i am just showing what attacker do hack any asp.net application,and i know nobody use this coding standard nowadays,but still.)

Coding implementation style

Physical location of an application

Asp.net version is exposed

4. HTTP Headers reveals information too :

I have used Fiddler (Free tool to fiddle any application) to see the HTTP response header from server.

If you will see Miscellaneous node of HTTP Response header.These node details revealing that application is :

MVC application

Framework version is 4.0

Server is Microsoft-IIS

5. Login page/Sign up page helps attacker to know the Email Address is valid or not (example: Hackers try on many web application to login with administrator@domain.com , they can confirm this email by sign up page when sign up page will tell id already exist)

All above mentioned are just some example how an attacker gathers information about an application.There might be some other ways too.

How to Prevent Asp.net Application from Information Leakage :

1. Always redirect to an Error page when any error occurs (Don't reveal anything from error)

In Asp.Net application :Step 1: Create an error page/pages accordingly to the errorStep 2: In Application web.config set the default redirection when any error occurs :

Custom error node will cause an application to redirect to defaultRedirect node value page. There are three mode in customErrors On/Off/RemoteOnly . I personally use RemoteOnly because its automatically works only when application deployed not at the time of development so i can see the errors at the time of development and can fix them.

Using customErrors node you can redirect according to the status code of Response Headers:

5. Beware of error/information messages should not give too much information -

We hate this message from some websites at the time of login - "your credentials is incorrect".But some websites deliberately do it , they don't want to tell you the which one is incorrect Password or UserID .

6. Search your application on search engines (Google,Bing ,yahoo ..) to see what is indexed their.

Share

About the Author

I do believe life is to help others ... So here i am .. in my spare time i learn new things of programming and try to help people with my knowledge .
I'm an energetic, self-motivated and hard-working Developer and Information Technology Professional with experience in projects, website design and development.